Include certificate expiry check in all kubernetes commands (#899)

* Include certificate expiry check in all kubernetes commands Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com> * Using PostRun from Cobra and fixing review comments Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com> * Modifying logging for error on certificate check Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com> * Fixing review comments Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com> * Fixing string messages Signed-off-by: Pravin Pushkar <ppushkar@microsoft.com>
2022-02-25 13:43:08 +05:30 · 2022-02-25 13:43:08 +05:30 · 34353a27e2
parent 5a8c3314ce
commit 34353a27e2
10 changed files with 63 additions and 4 deletions
--- a/cmd/components.go
+++ b/cmd/components.go
@ -39,6 +39,9 @@ var ComponentsCmd = &cobra.Command{
 			}
 		}
 	},
+	PostRun: func(cmd *cobra.Command, args []string) {
+		kubernetes.CheckForCertExpiry()
+	},
 	Example: `
 # List Kubernetes components
 dapr components -k
--- a/cmd/configurations.go
+++ b/cmd/configurations.go
@ -39,6 +39,9 @@ var ConfigurationsCmd = &cobra.Command{
 			}
 		}
 	},
+	PostRun: func(cmd *cobra.Command, args []string) {
+		kubernetes.CheckForCertExpiry()
+	},
 	Example: `
 # List Kubernetes Dapr configurations
 dapr configurations -k
--- a/cmd/dashboard.go
+++ b/cmd/dashboard.go
@ -181,6 +181,11 @@ dapr dashboard -k -p 9999
 			}
 		}
 	},
+	PostRun: func(cmd *cobra.Command, args []string) {
+		if kubernetesMode {
+			kubernetes.CheckForCertExpiry()
+		}
+	},
 }

 func init() {
--- a/cmd/list.go
+++ b/cmd/list.go
@ -87,6 +87,11 @@ dapr list -k
 			outputList(list, len(list))
 		}
 	},
+	PostRun: func(cmd *cobra.Command, args []string) {
+		if kubernetesMode {
+			kubernetes.CheckForCertExpiry()
+		}
+	},
 }

 func init() {
--- a/cmd/logs.go
+++ b/cmd/logs.go
@ -44,6 +44,9 @@ dapr logs -k --app-id sample --pod-name target --namespace custom
 		}
 		print.SuccessStatusEvent(os.Stdout, "Fetched logs")
 	},
+	PostRun: func(cmd *cobra.Command, args []string) {
+		kubernetes.CheckForCertExpiry()
+	},
 }

 func init() {
--- a/cmd/mtls.go
+++ b/cmd/mtls.go
@ -47,6 +47,9 @@ dapr mtls -k
 		}
 		fmt.Printf("Mutual TLS is %s in your Kubernetes cluster \n", status)
 	},
+	PostRun: func(cmd *cobra.Command, args []string) {
+		kubernetes.CheckForCertExpiry()
+	},
 }

 var ExportCMD = &cobra.Command{
@ -60,12 +63,15 @@ dapr mtls export -o ./certs
 		err := kubernetes.ExportTrustChain(exportPath)
 		if err != nil {
 			print.FailureStatusEvent(os.Stderr, fmt.Sprintf("error exporting trust chain certs: %s", err))
-			return
+			os.Exit(1)
 		}

 		dir, _ := filepath.Abs(exportPath)
 		print.SuccessStatusEvent(os.Stdout, fmt.Sprintf("Trust certs successfully exported to %s", dir))
 	},
+	PostRun: func(cmd *cobra.Command, args []string) {
+		kubernetes.CheckForCertExpiry()
+	},
 }

 var ExpiryCMD = &cobra.Command{
--- a/cmd/status.go
+++ b/cmd/status.go
@ -54,6 +54,9 @@ dapr status -k

 		utils.PrintTable(table)
 	},
+	PostRun: func(cmd *cobra.Command, args []string) {
+		kubernetes.CheckForCertExpiry()
+	},
 }

 func init() {
--- a/cmd/upgrade.go
+++ b/cmd/upgrade.go
@ -45,6 +45,9 @@ dapr upgrade -k
 		}
 		print.SuccessStatusEvent(os.Stdout, "Dapr control plane successfully upgraded to version %s. Make sure your deployments are restarted to pick up the latest sidecar version.", upgradeRuntimeVersion)
 	},
+	PostRun: func(cmd *cobra.Command, args []string) {
+		kubernetes.CheckForCertExpiry()
+	},
 }

 func init() {
--- a/pkg/kubernetes/mtls.go
+++ b/pkg/kubernetes/mtls.go
@ -28,12 +28,14 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"

+	"github.com/dapr/cli/pkg/print"
 	"github.com/dapr/dapr/pkg/apis/configuration/v1alpha1"
 )

 const (
-	systemConfigName      = "daprsystem"
-	trustBundleSecretName = "dapr-trust-bundle" // nolint:gosec
+	systemConfigName         = "daprsystem"
+	trustBundleSecretName    = "dapr-trust-bundle" // nolint:gosec
+	warningDaysForCertExpiry = 30                  // in days
 )

 func IsMTLSEnabled() (bool, error) {
@ -107,6 +109,32 @@ func ExportTrustChain(outputDir string) error {
 	return nil
 }

+// Check and warn if cert expiry is less than `warningDaysForCertExpiry` days.
+func CheckForCertExpiry() {
+	expiry, err := Expiry()
+	// The intent is to warn for certificate expiry, only when it can be fetched.
+	// Do not show any kind of errors with normal command flow.
+	if err != nil {
+		return
+	}
+	daysRemaining := int(expiry.Sub(time.Now().UTC()).Hours() / 24)
+
+	if daysRemaining < warningDaysForCertExpiry {
+		warningMessage := ""
+		switch {
+		case daysRemaining == 0:
+			warningMessage = "Dapr root certificate of your Kubernetes cluster expires today."
+		case daysRemaining < 0:
+			warningMessage = "Dapr root certificate of your Kubernetes cluster has expired."
+		default:
+			warningMessage = fmt.Sprintf("Dapr root certificate of your Kubernetes cluster expires in %v days.", daysRemaining)
+		}
+		helpMessage := "Please see docs.dapr.io for certificate renewal instructions to avoid service interruptions."
+		print.WarningStatusEvent(os.Stdout,
+			fmt.Sprintf("%s Expiry date: %s. \n %s", warningMessage, expiry.Format(time.RFC1123), helpMessage))
+	}
+}
+
 func getTrustChainSecret() (*corev1.Secret, error) {
 	_, client, err := GetKubeConfigClient()
 	if err != nil {
--- a/tests/e2e/common/common.go
+++ b/tests/e2e/common/common.go
@ -490,7 +490,7 @@ func uninstallTest(all bool) func(t *testing.T) {
 		go waitPodDeletion(t, done, podsDeleted)
 		select {
 		case <-podsDeleted:
-			t.Log("pods were delted as expected on uninstall")
+			t.Log("pods were deleted as expected on uninstall")
 			return
 		case <-time.After(2 * time.Minute):
 			done <- struct{}{}